Hello all,
I've been tasked with building a standard deviation alert / dashboard / report by using the total count of events over 7 days. I've tried the following search with no success:
| metadata type=hosts index=* which gives me a totalCount of events for my hosts.
I'm trying to figure out how to display any deviation that is +/- 10% and alert on this.
I'm happy to provide further information.
Thanks!
okay try this
base search
| bucket _time span=1d
| stats count BY _time countedfield
| eventstats stdev(count) as stdev BY countedfield
| eval stdevincrease = (stdev*1.1)
| where count > stdevincrease AND _time > now()-(24*60*60)
Set your earliest to be 7 days and your latest to be now.
Your buckets are 1 day time spans
the eventstats will do the standard deviation over the 7 days then the where clause only looks at the last day
So you can set your alert to trigger on anything greater than 0
a deviation over what time frame? You said 7 days for the total count but are you comparing daily? hourly?
I will be comparing daily.